DEV Community

Cover image for Continuous Delivery applied to Authorization with IAM Identity Center and AWS IAM Access Analyzer – Part 1

Continuous Delivery applied to Authorization with IAM Identity Center and AWS IAM Access Analyzer – Part 1

Level 200

A common task for security engineers is to grant the correct permissions set around the AWS environments applying the least privilege, keeping a central review access, continuous refinement, continuous policy validation. AWS IAM access analyzer provides these capabilities and allows you automate the process.
In this series you can learn how to apply the best practices and automate the process using IAM Access Analyzer and Amazon Boto3 SDK to automate the validation process with AWS Developer tools.

Use case

Imagine that you are a security engineer and must validate the IAM policies documents for IAM identity policies and Inline policies for permissions set. At the beginning a lot of these policies are defined in json format in source code and you must include the validation steps into the CD pipeline to manage the authorization as code.

Solution Overview

Requirements

  • validate-aws-policies
  • Python >= 3.10.4

AWS Services

  • AWS IAM Access Analyzer: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.

  • AWS SDK for Python (Boto3): Boto3 makes it easy to integrate your Python application, library, or script with AWS services including Amazon S3, Amazon EC2, Amazon DynamoDB, and more.

Hands On

First, explore the command line tool validate-aws-policies, this allows you to validate a set of policies defined into a folder in simple json format. This tool also allows to create the html report or pdf and also publish the results into a bucket in zip format.



validate-aws-policies -h
usage: validate-aws-policies [-h] [-c] [-u UPLOAD_REPORT] [-b] [-d DIRECTORY_POLICIES_PATH] [-p PROFILE] [-z] [-cp] [-v]

options:
  -h, --help            show this help message and exit
  -c, --ci              Run into pipeline if it's present
  -u UPLOAD_REPORT, --upload_report UPLOAD_REPORT
                        Upload reports to s3 bucket
  -b, --bucket_name     Use this flag for setting the bucket tool if --upload_report is present.
  -d DIRECTORY_POLICIES_PATH, --directory_policies_path DIRECTORY_POLICIES_PATH
                        Path where Policies are defined in json format
  -p PROFILE, --profile PROFILE
                        AWS cli profile for Access Analyzer Api
  -z, --zip_reports     Set in True if you want to create a zip file for reports
  -cp, --create_pdf_reports
                        Set it if you want to create a pdf report, this need wkhtmltopdf file for reports
  -v, --version         Print the package version


Enter fullscreen mode Exit fullscreen mode

For example:

You must have a session with an AWS Profile, for this example the profile name is labvel-devsecops.

Finally, you can watch the html report in your browser or in the terminal output.

The report is created in the same path where you run the command with the date and in html report by default for example: AccessAnalyzerReport_2024-08-04 13:12:07.285648.html.

HTML report for Access Analyzer

You can find the source code here:

GitHub logo velez94 / validate-aws-policies

Python CLI to validate aws policies using boto3 and Access Analyzer API

Validate AWS policies

This package scan AWS SCP policies and create report in HTML and PDF format.

Pre-Requirements

Setup AWS Cli profile for interacting with IAM access analyzer API using IAM or SSO credentials.

Requirements

  • python >= 3.8

Install

$ pip install --upgrade validate-aws-policies

From AWS CodeArtifacts repository

You must have a user into AWS account Sophos Organization, it could be for projects, products, or IT internal Organizations. Before create AWS CLI profile using AWS IAM Identity Center (SSO) or IAM.

  1. Configure your pip cli for download package from private CodeArtifacts repository

$ aws codeartifact login --tool pip --repository <repository_name> --domain <domain> --domain-owner <123456789012>  --profile <profile_name> --region <repository_region>
$ pip install --upgrade validate-aws-policies

From Azure Artifacts repository

Project setup

Ensure you have installed the latest version of the Azure Artifacts keyring from the "Get the tools" menu.

If you don't already have one, create a virtualenv using these instructions from…

Thanks for reading and sharing!! 🤓🤓

Top comments (0)